Professional Comment

Complying with Data Protection Regulations in Care Homes

By Becky White, Senior Data Protection and Privacy Solicitor at Harper James

Care homes are considered data controllers of the personal data that relates to residents and their families, as well as that of their staff. They are therefore likely to collect and process large amounts of information and will need to meet not just the general compliance obligations set out in data protection legislation such as UK GDPR. They must also be mindful that the unique environment they operate in poses its own particular challenges and compliance obligations, some of which are covered by the National Data Guardian’s 10 data security standards, which was developed by the National Data Guardian and since 2017 has been a requirement that all health and social care workers must follow.

These unique challenges include the fact that they are often the custodians of large amounts of sensitive personal data such as medical records or information pertaining to religious or philosophical beliefs (which is considered ‘special category’ data and therefore to be treated with additional caution) or in some instances financial information.

One must also factor in the potentially vulnerable nature of the data subjects, who in some instances may not have ‘capacity’ to make decisions or exercise their own data protection rights, and it’s easy to see that having a suitable data protection programme in place is paramount to ensuring that a consistent and compliant approach is followed by every organisation operating in the health and social care sector.

The following is a non-exhaustive list of points that care organisations should bear in mind when devising a data protection programme:

1. Lawful basis: Organisations must ensure there is an appropriate lawful basis for processing personal data obtained from residents, families or staff. In some instances, this could be ‘performance of a contract’ or ‘consent’ or one of the other bases set out in Article 6 UK GDPR such as ‘protection of vital interests’. However, a lawful basis must be determined before processing begins and should be documented clearly and transparently in a privacy notice. Where special category data is being collected, an additional condition set out in Article 9 must also be identified and documented.

2. Data minimisation: Care homes should only collect and store personal data that is necessary to achieve the purposes for which it is obtained, whether that is providing care and support or administering staff contracts. Organisations should always avoid collecting excessive or unnecessary information and should be clear about how long information is retained and when it should be deleted.

3. Security measures: Care homes should ensure that appropriate technical and organisational measures have been implemented to protect personal data from unauthorised access, disclosure, alteration, or destruction. In this technological age it’s likely that a home will use an IT system to store and manage resident personal data, and therefore should be mindful of the National Data Guardian’s 10 data security standards which requires organisation to proactively prevent data security breaches. This also includes ensuring technology is up to date and ensuring that staff can only access resident data on a ‘need to know’ basis and reviewing processes at least annually.

Where a care home operates a structured paper filing system, data protection legislation and the requirement to implement appropriate security measures will also apply, and therefore organisations should have an appropriate records management and security policy. This may include measures such as ensuring that filing cabinets are fireproof, locked and that it is operating a clear desk policy.

4. Staff training: Organisations should make sure that all staff members are trained on data protection principles and understand their responsibilities in handling personal data. The National Data Guardian’s 10 data security standards requires that all staff are equipped to handle information respectfully and safely, according to the ‘Caldicott Principles’ (a set of eight principles that apply to the use of confidential information within health and social care organisations) and includes the requirement to ensure that staff complete appropriate annual data security training.

5. Data sharing: Organisations should be mindful to only share resident personal data with clearly authorised individuals or organisations that have a legitimate need to access it. To guarantee consistency on this point and to enable staff to react appropriately under pressure, organisations should have a clear policy and implement strict controls when sharing data with external parties, such as healthcare professionals or family members, to avoid any unnecessary data breaches or challenges. In some instances, it may be necessary to document data sharing arrangements in a contract to meet the requirements of UK GDPR and consider carrying out a Data Protection Impact Assessment – for example where a third-party data processor is being appointed to manage or store information.

6. Individual rights: The data protection rights of care home residents must be respected as with any other category of data subjects, and this may involve complying with a request to access their personal data, to rectify any inaccuracies, and to request erasure or restriction of processing.

Organisations should ensure appropriate procedures are in place to handle these requests promptly and effectively, as they are often time sensitive. In some cases, a resident may authorise a third party (e.g. a relative or a solicitor) to exercise their individual rights for example where that individual has lost capacity and a power of attorney has been granted. Care homes should ensure that procedures are in place to verify that the third party is authorised to act on behalf of an individual.

7. Data breaches: A personal data breach is classified as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to personal data. Organisations should develop an appropriate response plan setting out what action should be taken if a breach occurs, and this should include procedures for notifying affected individuals and the ICO where required by law.

The National Data Guardian’s 10 data security standards sets out specific steps that must be taken where a cyberattack has caused a data breach or a near miss, which includes responding to CareCERT (the NHS Digital Care Computing Emergency Response Team) security advice and reporting the breach to senior management within 12 hours of detection.

8. Governance: A care home that operates on a large scale may meet the requirements of having to appoint a data protection officer. Either way, accountability is one of the core data protection principles of UK GDPR, so it is therefore essential that an appropriate privacy management framework is implemented with those at the highest management level taking responsibility for compliance, to create a culture of privacy and trust.

Treating residents’ personal data with respect is a fundamental aspect of providing high-quality care services and ensuring the that dignity and rights of residents are upheld.